This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.

COSO transition getting a close look from auditors

The early stages of implementation are over for many companies using
the updated internal control framework of the Committee of Sponsoring
Organizations of the Treadway Commission (COSO).

In 2013, the framework—which had been in use since 1992—was updated
to reflect changes in the business environment. U.S. public companies
have been working to implement the new framework to fulfill their
internal control over financial reporting requirements under the
Sarbanes-Oxley Act (SOX).

COSO will consider the 1992 framework to be superseded following a
transition period that ends Dec. 15, 2014. Although COSO is not a
regulatory agency with enforcement power, then-SEC Chief Accountant
Paul Beswick said shortly after the framework’s release that the SEC
plans to monitor the transition, and referred users of the framework
to the statements COSO has made about transition.

After working on implementation, many companies that use the
framework are having discussions with their auditors about what has
been done.

“Now what’s happening, as we turn the corner in the third and fourth
quarters, the company’s accounting firm is now getting involved in the
transition, asking and having discussions about what was done, what
have the results been, what were their expectations,” COSO Chairman
Robert Hirth said.

Jennifer Burns, CPA, a partner in the regulatory and professional
matters group at Deloitte LLP, said her impression after working with
clients is that they appreciate the way the updated COSO framework
explicitly expressed 17 principles for effective internal control—and
points of focus that provide greater understanding of each principle.

One task for organizations in implementing the framework has been an
exercise to map the controls to those 17 principles.

“People really like the structure of the new framework—using the
principles and the points of focus,” Burns said. “I think they find it
helpful in terms of understanding and improving controls overall.”

Sandy Herrygers, CPA, a partner and IT specialist leader at Deloitte
& Touche LLP, said the difficulty organizations have experienced
in implementation has varied depending on how well their controls had
been implemented around the original framework.

“Companies that went above and beyond on the original framework—most
of the larger, mature public companies—haven’t seen as significant a
change with the new framework,” she said, “because in a lot of the new
content areas, they had already implemented controls.”

Here are some of the areas that Herrygers and Burns said have
required extra attention from organizations in implementing the framework.

IT considerations. The updated framework, unlike
the original, mentions specific considerations for companies with
regard to information technology controls. Principle 11, in
particular, describes how IT controls should be structured.
Herrygers said most public companies used other IT frameworks for
their general IT controls, so the COSO 2013 requirements in
Principle 11 weren’t new to most companies. “For those companies,
there are some new controls that need to be added, but not as
significant a change,” she said. “But, if you were one of the
companies that did the bare minimum around the original COSO
implementation for IT, then you probably have a lot more work to do
to satisfy Principle 11.”

Outsourced service providers. Many companies have
had to add new controls around outsourced service providers,
Herrygers said. Previously, companies had specific controls and
activities for outsourced service providers to satisfy the control
activities component of the framework, but they did not have
controls for outsourced service providers around the other four
components (control environment, risk assessment, information and
communication, and monitoring activities). Herrygers said many
companies have had to add certain controls in this area, such as
controls related to ethical values, code of conduct, and
service-level agreements.

Information quality. Principle 13 of the framework
states that the organization obtains or generates and uses relevant,
quality information to support the functioning of internal control.
Herrygers said that most of her firm’s clients have high-level
controls around information quality, but they may not have assessed
the controls over information in reports that underlie their
internal control over financial reporting. “So, now with the new
framework, you have to go to that extra level of detail and add some
additional controls around information quality as part of the
implementation,” Herrygers said.

Burns said the initial gap assessments performed as part of
implementation have discovered gaps that can be placed into four categories.

Principle gaps. These occur when organizations fail
to meet the standards set by one or more of the principles in the framework.

Control attribute gaps. These happen when companies
see that they aren’t meeting one or more points of focus that apply
to their organization. “Even though meeting all the points of focus
isn’t required under the new framework, some companies are saying,
‘We want to make some enhancements here,’ to ensure that they’ve met
the spirit of the principle,” Burns said.

Control testing gaps. Once a new control is added,
it needs to be tested as part of the company’s assessment of
internal control over financial reporting under SOX-related requirements.

Control evidence gap. These are cases where a
control is present and functioning but hasn’t been appropriately
documented. The updated framework (and related SOX rules) require
additional documentation in order to support management’s assessment
of internal control over financial reporting, and that has required
work on the part of some companies.

Deloitte also has advised clients to look beyond the basic
mapping to the new principles and points of focus and take a fresh
look at the areas of internal control that historically have been
problem areas for public companies in general. For example, these
include lack of technical accounting skills, and accounting for income taxes.

“There are areas that have just been difficult for companies to get
their arms around from an internal control perspective,” Herrygers said.

But the basic implementation has been smooth, she said, because
companies have had a healthy dialogue with their auditors while
undergoing the mapping process and addressing any shortcomings.

“When the client works on the gap assessment, we’re one step behind
them, reviewing the work and providing input,” Herrygers said. “So I
feel that the process has been very effective in terms of how we’re
coordinating to make sure there aren’t surprises at the end of the year.”

The challenges of the new lease accounting standard have been pervasive to say the least. In this free, independently-written report, you'll learn effective adoption strategies as well as resources for easing the transition to the new standard.